Chris Skidmore: On the European directive, which is to be introduced in May 2018, the codes will be revised and will reflect that. That is why the flexibility we have from the codes not being written into the Bill is so important—so that we can deal with instances in which there will be change in the future. They will be updated to reflect that change in May 2018.
Civil registration officers—public servants who want to share data for the benefit of the public—are not trying to do anything that would compromise those whom they serve. In the code of practice, paragraph 47 states that privacy impact assessments will be put in place to ensure that there will be compliance with data protection obligations and that they meet individual expectations of privacy. All Departments entering into data sharing arrangements under the powers must comply with privacy impact assessments and publish the findings. We want to ensure transparency so that members of the public understand why it is necessary for those data to be shared.
An application to share data is not simply a permissive path by which new data sharing arrangements can be established without going through due process and regard. In the fairness and transparency section of the data code of practice, there are many questions that must be addressed in order to establish the data sharing arrangements. They are clearly laid out.

Chris Skidmore: Paragraphs 47 and 49 of the civil registration data sharing code of practice clearly state:
“All government departments entering into data sharing arrangements under these powers must conduct a Privacy Impact Assessment and to publish its findings. The Information Commissioner’s Conducting Privacy Impact Assessments code of practice provides guidance on a range of issues in respect of these assessments, including the benefits of conducting privacy impact assessments and practical guidance on the process required to carry one out…Registration officials entering into new data sharing arrangements should refer to the following guidance issued by the Information Commissioner on Privacy Impact Assessments which includes screening questions…to determine whether a Privacy Impact Assessment is required.”
On health care data, the Government are considering Dame Fiona Caldicott’s recommendations. The consultation closed on 7 September, and I confirm that the Bill’s powers will not be used in relation to health and care data before we have completed that process.

Louise Haigh: These are further amendments tabled by my hon. Friend the Member for Cardiff West and me to make the codes of practice, on which officials have obviously worked so hard and which were developed in consultation with the s, legally binding. With your permission, Mr Stringer, I will come to specific issues about the data-sharing measures and fraud during debate on clause stand part.
I appreciate what the Minister said about sanctions being enforced on those authorities that do not have regard to the code of practice, but it says on the front page of the code:
“The contents of this Code are not legally binding”;
it merely
“recommends good practice to follow when exercising the powers set out in the Bill.”
That is not really a strong enough message to send to officials and all those involved in data-sharing arrangements. I would be interested to hear examples from the Minister of when it would be considered reasonable not to follow the code, as I assume that that is why he does not want to build it into primary legislation. I know that he will tell me that his real reason is that he wants to future-proof the codes. That is all well and good, but the Bill is already outdated. One witness wrote to us in evidence:
“Part 5 seems to imply an approach to ‘data sharing’ modelled on the era of filing cabinets and photocopiers when—quite literally—the only way to make data available to others was to send them a duplicate physical copy. Modern technology has already rendered the need for such literal ‘data sharing’ obsolete: data can now be used without copying it to others and without compromising security and privacy.”
Furthermore, data sharing is not defined, either legally or technically, in the Bill or in the codes of practice. Does data sharing mean data duplication—copying and distribution—or does it mean data access, or alternatives such as attribute exchange or claim confirmation? These are all quite different things, with their own very distinct risk profiles, and in the absence of any definition, the term “data sharing” is ambiguous at best and potentially damaging in terms of citizens’ trust, cyber-security and data protection. Let me give an example: there is a significant difference between, and different security risk associated with, distributing personal information to third parties, granting them controlled and audited one-time access for the purpose of a specific transaction, or simply confirming that a person is in debt or is or is not eligible for a particular benefit, without revealing any of their detailed personal data.
What is more, there is no reference in the clause to identity and how officials, citizens, or organisations, or even devices and sensors, will be able to prove who they are and their entitlement to access specific personal data. Without this, it is impossible to share data securely, since it will not be possible to know with whom data are being shared and whether they are an appropriate person or organisation to have access to those data. Security audits, of who has accessed which data, when and why, require a trusted identity framework to ensure that details of who has been granted access to data are  accurately recorded. Presumably, it will also be mandatory to implement good practice security measures, such as protecting monitoring, preventing in real time inappropriate attempts at data access, and flagging such attempts, to enable immediate mitigating action to be taken.
As I said on Tuesday, all these details are moot, as are the codes of practice and indeed the Information Commissioner Office’s excellent code of practice, if the existence and detail of data sharing is not known about to be challenged; hence the need for a register, as set out in new clause 35. That is why we have tabled our amendments and we would like the Minister to give serious consideration to the inclusion of these important principles and safeguards in the Bill. We are not talking about detailed regulations, we are certainly not talking about holding back technological advances, and we are not talking about the “dead hand of Whitehall”, as the Minister said on Tuesday. We are talking about vital principles that should be in primary legislation, alongside any new powers to share information. The most important of those principles is transparency, which is exactly what new clause 35 speaks to. It would require public authorities to enter in a public register all data disclosures across Government.
The Minister did not know the detail of the audits that are mentioned in the codes of practice. We really need more detail on those audits, as it may well satisfy us in our request for this register. Will all data-sharing agreements be kept in a single place in each Department, updated as data are shared and disclosed across Government, with Government agencies and with non-public sector organisations? Will these additional agencies keep similar audits and—crucially—will those audits be publicly available? Also, will the audits include the purpose of the disclosure, the specific data to be disclosed, how the data were transferred, how the data are stored and for how long, how the data are deleted at the end of that time frame, what data controllers and processors are involved in the sharing of that data, and any other restrictions on the use of further disclosure of that data?
If we have, in a single place, data-sharing amendments, as this amendment would establish, the public can see and trust how their data are being used and for what purpose. They can understand why they are getting a letter from Concentrix about Her Majesty’s Revenue and Customs, or why they have been targeted for a warm home scheme, and—crucially—they can correct or add to any information on themselves that is wrongly held.

Chris Skidmore: Yes, I can confirm that. Moving forward, I reassure the Committee that we will continue to work closely with Citizens Advice and StepChange to look at fairness in Government debt management processes. Only HMRC and DWP have full reciprocal debt data-sharing gateways in place, under the Welfare Reform Act 2012. This power will help level the playing for specified public authorities by providing a straightforward power to share data for clearly outlined purposes. Current data-sharing arrangements are time-consuming and complex to set up, and significantly limit the ability of public authorities to share debt data. This power will help facilitate better cross-Government collaboration that will help drive innovation to improve debt management. The clause will provide a clear power for specified public authorities to share data for those purposes, and will remove the existing complications and ambiguities over what can and cannot be shared and by whom.

Amendment made: 129, in clause44,page42,line7,at end insert—
‘( ) The code of practice must be consistent with the code of practice issued under section 52B (data-sharing code) of the Data Protection Act 1998 (as altered or replaced from time to time).”
This amendment requires a code of practice issued under clause 44 by the relevant Minister and relating to the disclosure of information under clause 40 to be consistent with the data-sharing code of practice issued by the Information Commissioner under the Data Protection Act 1998.—(Chris Skidmore.)

Chris Skidmore: When it comes to the point of process that the hon. Gentleman mentions, we intend to return this further into the Bill. The particular issue that arose with the amendments as currently drafted is that the need for consent needs to apply correctly only to devolved matters. We found that the amendments do not reflect that, which is why we wish to withdraw them today.

Amendments made: 131, in clause49,page46,line43,at end insert—
“(ba) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 134 create a further exception to the bar on using information disclosed under Chapter 4 of Part 5 of the Bill for a purpose other than that for which it was disclosed. The amendments allows use for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 132, in clause49,page46,line44,leave out “(whether or not in the United Kingdom)”
This amendment removes the provision stating that a criminal investigation for the purposes of clause 49(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 133, in clause49,page46,line46,leave out “and whether or not in the United Kingdom”
This amendment removes the provision stating that legal proceedings for the purposes of clause 49(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 134, in clause49,page47,line6,at end insert—
‘( ) In subsection (2)(ba) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”
See the explanatory statement for amendment 131.—(Chris Skidmore.)

Amendments made: 135, in clause50,page47,line44,at end insert—
“(da) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 138 create a further exception to the bar on the further disclosure of information disclosed under Chapter 4 of Part 5 of the Bill, allowing disclosure for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 136, in clause50,page48,line1,leave out “(whether or not in the United Kingdom)”
This amendment removes the provision stating that a criminal investigation for the purposes of clause 50(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 137, in clause50,page48,line4,leave out “and whether or not in the United Kingdom”
This amendment removes the provision stating that legal proceedings for the purposes of clause 50(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 138, in clause50,page48,line11,at end insert—
‘( ) In subsection (2)(da) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”
See the explanatory statement for amendment 135.
Amendment 139, in clause50,page48,line12,leave out subsections (3) and (4) insert—
‘( ) A person commits an offence if—
(a) the person discloses personal information in contravention of subsection (1), and
(b) at the time that the person makes the disclosure, the person knows that the disclosure contravenes that subsection or is reckless as to whether the disclosure does so.”
This amendment applies to the disclosure of personal information in contravention of subsection (1) of clause 50. It has the effect that it is an offence to do so only if the person knows that the disclosure contravenes that subsection or is reckless as to whether it does so.—(Chris Skidmore.)

Amendment made: 140, in clause52,page49,line7,at end insert—
‘( ) The code of practice must be consistent with the code of practice issued under section 52B (data-sharing code) of the Data Protection Act 1998 (as altered or replaced from time to time).”
This amendment requires a code of practice issued under clause 52 by the relevant Minister and relating to the disclosure of information under clause 48 to be consistent with the data-sharing code of practice issued by the Information Commissioner under the Data Protection Act 1998.—(Chris Skidmore.)